Privacy Policy

Last updated: March 25, 2025

1. Introduction

WavelyLabs ("we," "us," or "our") operates SupaWave, a real-time collaborative messaging platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

By using SupaWave, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

When you register for SupaWave, we collect:

• Username — your chosen identifier on the platform
• Email address — used for account verification and communications
• Password hash — your password is salted and hashed before storage; we never store passwords in plain text

Usage Information

We may collect information about how you use the platform, including wave creation and participation, search queries, and general feature usage patterns to improve the service.

3. How We Use Your Data

We use the information we collect to:

• Authentication — verify your identity and manage access to your account
• Wave delivery — deliver waves and real-time updates to participants
• Search — enable you to search and discover waves you have access to
• Contacts — help you find and connect with other users on the platform
• Service improvement — analyze usage patterns to improve platform performance and features

4. Wave Content & Collaboration Data

Waves and their content (messages, replies, edits) are stored on our servers to provide the collaborative features of the platform. Key points:

• Wave content is visible to all participants added to that wave
• Public waves (shared with the domain) are visible to all registered users on the server
• Version history of waves is maintained to support playback and audit features
• Deleted waves may be retained in backups for a limited period

5. Gravatar Integration

SupaWave uses Gravatar to display user avatars. When this feature is active:

• An MD5 hash of your email address is sent to Gravatar's servers to retrieve your avatar image
• If you do not have a Gravatar account, a generated avatar or initials-based avatar is displayed instead
• Your email address itself is not shared with Gravatar — only the hash

6. Email Communications

We may send you emails for the following purposes:

• Email confirmation — to verify your email address during registration
• Password reset — to help you regain access to your account
• Magic link login — passwordless authentication via email link

Transactional emails are sent via the Resend API. We do not send marketing or promotional emails.

7. Cookies & Sessions

SupaWave uses cookies to maintain your authenticated session:

• JWT session cookie — a secure, HTTP-only cookie containing a JSON Web Token that identifies your session
• Expiry — session cookies expire after 14 days of inactivity
• We do not use third-party tracking cookies or advertising cookies

8. Data Storage & Security

We take reasonable measures to protect your data:

• Data is stored in MongoDB with encryption at rest
• Passwords are salted and hashed using industry-standard algorithms
• All communications between your browser and the server are encrypted via HTTPS/TLS
• Access to production systems is restricted to authorized personnel

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

You have the following rights regarding your data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate personal data
• Deletion — request deletion of your account and associated personal data
• Export — request an export of your wave data in a portable format

To exercise any of these rights, please contact us at support@supawa.ve.

10. Data Retention

We retain your account data for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, though some data may persist in encrypted backups for up to 90 days.

Wave content that you contributed to shared waves may remain visible to other participants even after your account is deleted, as it forms part of the collaborative record.

11. Children's Privacy

SupaWave is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal data, we will take steps to delete that information promptly. If you believe a child under 13 is using SupaWave, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Material changes may be communicated via email or an in-platform notice.

13. Operator & Contact

SupaWave is operated by WavelyLabs. If you have questions or concerns about this Privacy Policy or our data practices, please contact us: